CVE-2026-33250
Published: 24 March 2026
Summary
CVE-2026-33250 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-33250 is a stack overflow vulnerability (CWE-20: Improper Input Validation, CWE-121: Stack-based Buffer Overflow) affecting Freeciv21, a free open-source turn-based empire-building strategy game. Versions prior to 3.1.1 crash when receiving specially crafted packets, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue impacts both server and client components of the game.
A remote unauthenticated attacker can exploit this vulnerability to crash any public Freeciv21 server by sending malicious packets. Similarly, a malicious server can crash the game on a connecting player's machine. No authentication is required, and default logging does not provide useful information for detecting or analyzing such attacks.
Advisories recommend upgrading all Freeciv21 installations to version 3.1.1, where the issue is fixed. For non-public servers, running behind a firewall provides mitigation. Local games are unaffected, as Freeciv21 restricts connections to the current user. Details are available in the GitHub security advisory (GHSA-f76g-6w3f-f6r3), release notes for v3.1.1, the fixing commit (ad8e18ca22595529599782b2984bf44df8d69ed6), and Redmine issue 1955.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14642
Vulnerability details
Freeciv21 is a free open source, turn-based, empire-building strategy game. Versions prior to 3.1.1 crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use…
more
this to crash the game on the player's machine. Authentication is not needed and, by default, logs do not contain any useful information. All users should upgrade to Freeciv21 version 3.1.1. Running the server behind a firewall can help mitigate the issue for non-public servers. For local games, Freeciv21 restricts connections to the current user and is therefore not affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack overflow in public game server/client enables remote unauthenticated DoS via crafted packets (T1190 for public-facing exploitation; T1499.004 for application crash via vulnerability exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation (CWE-20) causing stack overflow by requiring validation of specially crafted network packets before processing.
Requires timely flaw remediation through patching, such as upgrading Freeciv21 to version 3.1.1 where the stack overflow vulnerability is fixed.
Implements denial-of-service protections to block or limit the impact of remote unauthenticated attacks crashing the server or client with malicious packets.